Scaled Iterated Logarithmic 
Multiplication Proof 
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i£>Z, 



Prover 



CryptoParams = (Group , g , G , p , q) 



v^r 

(g\...,g" i ) = (X ] ,...,X k ) 

(g\...,g Vl ) = (Y ] ,...,Y k ) 

with property that 

c TT>.=fh 

for each 0 < / < £ generate random r } 
for each 1 < / < k w } = r ; u i /r M 



z,=g\ 



(X l ,...,X k ),(Y l ,...J k ),C 



f 



froof Data: 



|) For each 1 < / < A: Chaum-Pederson proofs for £ 
T (i^,^) and (^C.^.Z.) 



T 



j R 1 ,W J ,z n Z j for each !</<£ and 
and Chaum-Pederson Proof Data 



Verifier 



Verify Z % =g Zl 

Verify Correctness of Proof 
Data 

- Accept/Reject, 




Simple Shuffle 
(Shuffler knows exponents) 
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Shuffler ■< 


CryptoParams = (Group , g 


G. P r^Tj 




C = g c 






(g\.. 
1 (g^ 


.,g u >) = (X 1 ,...,X k ) 






■ 1 
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= g c ' = r 




= XJT , 


y t 





/ (random) 



Ho5 



Proof Data: 

3 1) Chaum Pederson Proof for (g,C 9 T,S) 



1 2) Scaled Iterated Logarithmic 
I Multiplicatioin proof for 

{X x ,...,X k UY x ,...J k ) 



T 



4 fo 



Proof Data 



'10 



-> Verifier 



,7 P-p^-o t^ 



40^ 



Verify Correctness of Proof 
Data 
- Accept/Reject 



General Shuffle 
(Shuffler does not know exponents) 



30 L 



Shuffler. S 



CryptoParams = (Group , g , G , p , q) 



-> Verifier. V 



C = g c 



For each 1 < / < A: , generated randomly 1^/ V^ 7 - 



4*0 4 

p ^ So h C I y' f<^0 W * 



(£/,,.. .,t/*) 



u i =Ui+ e, = log^ U, ( known only to S ) 
giSerate random secret, d 



(<?„...,«*) 



5^ 



J± 



For each l<i<k , generate e random 



(U lt ...,U k ) 



1 



l(V l ,...,V k ) = (Ut m ,...,Ut ik) ) ( thatis, (V^ w ,...,V^ k) ) = (U?,...,U d k ) ) j 



a j; 



4 = *r 



J 



Proof Data: 



-SZ- 



1) Simple Shuffle Proof for (U v ...,U k ),(V ] ,...,V k ) 



2) For each 1 < / < k , Chaum-Pederson proofs for 

(g^X^A,) and fol^,*,) 

3) Chaum-Pederson proof for (D,A,C,B) 
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T10 



Verify Correctness of Proof 
Data 
- Accept/Reject 




Anonymous Certificate Distribution 
(Protocol Variant 1) 



Initialization 

|c~ryptoParams = (Group , g , p , q)/- published 



>0 



0 <-f 



[K -"TT^et Yf standard public keys = {h : 
f^eg^trants each know corresponding private key^ such that h J = g"*^ "^ fc 



/ Optional Randomization bv Authorities 



..J2L 



6iv 



In sequence, each authority performs verifiable shuffle on H using (G,C = G c ) as the shuffle commitment, and returns the 
shuffled set,//', along with the shuffle verification transcript, T(H,H',G,C) 

If the verification transcript is correct. Registration Server performs the substitutions 

G = C H -H' j 
and stores the previous values, along with the shuffle verification transcript for audit purposes. 

C5ps can be performed as part of initializ ation, and/or, at any intermidiate stage of anonymous certificate generation.) 



Anonymous 



Certificate Request and Generation Phase (each registrant in turn) 




Registrant 

c! 



12- 



fljl) compute shuffle 
(and verification transcript) 



anonymous authentication request 



T(H 9 H\G,C) , e = cs and index, 1 < j < k 



Registration Server 



2) Generate PKI Certificate Request 
with "random identifying information" 

3) Safely store corresponding private key 
for this request. 



R - PKI Certificate Request 




b o 



1) Check shuffle verification transcript j 

2) Check h) = G e 

if both checks pass 

3) Set K = H=H'-\h'} 

G = C 
k = k-\ 

4) Store T(H,H\G,C) 
for audit purposes 



Q(R) 



deny request 



5) Digitally sign R thereby creatine [ 
PKI Certificate, C1(R) 



\ Else, if anv chec k fails 



Loo P *° begining of this pjiase (ready for next anonymous authentication request) 



Anonymous Certificate Distribution 
(Protocol Variant 2) ' 



700 



Initialization 



j cryptoParams = (Group , g , p ,^^ published 



- set of standard public key pairs = {(g^fy ),..., (g k ,h k )} i 



J = K-H 




[Registrants each know corresponding private key, s s such that h } ~g/ J K^/>6£ 



"1(0 



^ "Optional Randomization by Authorities 



In sequence, each authority performs verifiable shuffle (of pairs) on K using (g,C = g c ) as the suffle commitment, I 
and returns the shuffled set, K r , along with the shuffle verification transcript, T(K,K\G,C) j 

If the verification transcript is correct Registration Server performs the substitution I 

K = K' : 
and stores the previous values, along with the shuffle verification transcript for audit purposes. 

(Wis can be performed as part of initialization, and/or, at any intermidiate stage of anonymous certificate distribution.) j 



Anonymous Certificate Request and Generation Phase (each registrant in turn) 



istrant 



6 ! z 



Re gistration Server 



anonymous authentication request 



iTj^^^subs^Mo: H of size k' <k 



S set M' = H-M 



^Compute shuffle, H' , of M 
<?nd verification transcript) 



3) Generate zero knowledge proof, P 
that registrant knows exponent 
s such that ) s = h] e H' for specified index, l<j<k'\ 



H (contains registrant's public key) 



T(M,H',g,C) , P 



R = PKI Certificate Request 



4) Generate PKI Certificate Request 
with "random identifying information" 

5) Safely store private key corresponding 

to this certificate request 



Q(R) 



deny request 




) Check shuffle verification transcript 
2) Check P 

If both checks pass 

3) Set K = JUMV(H'-y r h' J )}) 

k = k-\ 

4) Store T(M,H',g,C) ( 
for audit purposes ■ 

5) Digitally sign R thereby creating 
PKI Certificate, C1(R) 



Ise. if any check fails^ 



j Toop to Defining of this phase (ready for next anonymous authenticatio n reques fjfe"! 



